? Rails security update #18

Did you see the Bundler vulnerability recently? It seems Bundler switches to a different source every time it sees a new one in a Gemfile. Even if that source was only for one gem. So Bundler might load gems from unexpected sources. You’ve got that source in your Gemfile, so you already trust it to some extent. But we should probably use the several source blocks as described in the original blog post. And now for something completely different:

Exploiting CORS Misconfigurations for Bitcoins and Bounties

Some Cross-Origin Resource Sharing (CORS) misconfiguration misconceptions

Is Your Site Leaking Password Reset Links?

Password Reset URLs may be leaked to third-party tools via the Referer header. Fix this on your site if you care about a second layer of defense.

CSP Mitigator

A Content-Security-Policy test tool to come up with the best policy in the first place. By Google.

Like this kind of articles?

Subscribe to hear about new Rails security resources first. Only helpful articles and guides. Monthly(ish) updates, no spam.

Unsubscribe at any time. Powered by ConvertKit